11 items · Free checklist

EU Digital Operational Resilience Act (DORA) Compliance Checklist 2026

EU DORA (Regulation 2022/2554, in application January 17, 2025) applies to 20 categories of EU-regulated financial entities and their ICT service providers. It mandates a harmonized ICT risk managemen

Auto-generate all documentsRead full regulation →

Maximum penalty: 2% of total annual worldwide net turnover for financial entities; up to €5,000,000 for ICT service providers; €1,000,000/day for critical ICT providers

Complete each item below to achieve compliance. Use ComplianceIQ to generate all required documentation automatically.

Regulatory Requirements

1. ICT Risk Management Framework

Implement a documented ICT risk management framework covering all ICT assets including AI tools and services. Must include risk identification, protection measures, detection capabilities, response protocols, and recovery procedures. Board-level oversight of ICT risk is required.

2. Third-Party ICT Risk Assessment (AI Vendors)

Assess and document ICT risks from all third-party ICT service providers, including AI tool vendors (OpenAI, Microsoft Copilot, etc.). Contracts with ICT service providers must include mandatory clauses: security requirements, audit rights, exit strategies, and incident notification obligations.

3. Major ICT Incident Reporting

Establish incident management processes to detect, classify, and report major ICT-related incidents to the relevant national competent authority. Includes incidents caused by or involving AI systems. Initial report within 4 hours; full report within 72 hours.

4. Digital Operational Resilience Testing

Conduct annual resilience testing of ICT systems including AI tools (vulnerability assessments, penetration testing). Significant institutions must conduct Threat-Led Penetration Testing (TLPT) every 3 years.

Implementation Steps

5. Identify all AI/ML systems used in ICT-dependent financial functions

6. Include AI systems in your ICT risk management framework

7. Conduct resilience testing of AI-driven systems (at least annually)

8. Map AI third-party dependencies — classify as Critical ICT Third-Party Providers if applicable

9. Register Critical ICT Third-Party Providers with the relevant ESA

10. Establish exit strategies for AI vendor concentration risk

11. Include AI incidents in your incident classification and reporting procedures